CVE-2026-46070 Linux CVE debrief

Who should care

System administrators managing Linux servers with software RAID5/RAID6 configurations using kernel-level journaling, particularly those in high-availability storage environments where RAID array integrity is critical

Technical summary

The vulnerability exists in the Linux kernel's RAID5/RAID6 cache (r5c) and log (r5l) journal recovery implementations. When recovering from a corrupted journal, the functions `r5c_recovery_analyze_meta_block()` and `r5l_recovery_verify_data_checksum_for_mb()` iterate over payload entries in metadata blocks using size fields read directly from disk without validation. A malicious or corrupted journal with oversized payload size fields could cause the kernel to read beyond allocated buffer boundaries (PAGE_SIZE), resulting in out-of-bounds memory access. The fix implements bounds checking to ensure each payload's claimed size fits within the remaining metadata block space before processing, preventing the out-of-bounds read condition.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include the fixes for CVE-2026-46070
• Verify that systems using md/raid5 with journaling (write-intent bitmap or journal device) are running patched kernel versions
• Monitor kernel logs for RAID array recovery events that may indicate journal corruption attempts
• Consider implementing filesystem-level integrity monitoring for critical RAID configurations
• Review backup and recovery procedures for systems relying on md/raid5 arrays

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed through kernel.org git commit references. The issue was resolved via multiple stable kernel commits adding bounds validation for payload processing in r5c and r5l recovery functions.

Official resources